Step 5 — Certification Decision & Issuance
The certification decision at Step 5 is made by an appointed decision-maker who is structurally independent of the audit team that conducted the underlying audit, per ISO/IEC 17021-1 §9.5. The decision-maker reviews audit findings, nonconformity classifications, corrective action evidence, and the audit team recommendation. Decision options include grant, defer, or refuse certification. Following grant, the certificate is issued and accredited certificates are listed on IAF CertSearch.
The Structural Independence Principle
Why Independence Matters
The certification decision is the most consequential single output of the certification engagement — it determines whether a certificate is issued, on what terms, and with what scope. ISO/IEC 17021-1 §9.5 requires that the decision is made independently of the audit team that conducted the underlying audit. This structural separation is one of the core impartiality safeguards in the international certification framework.
What ‘Structurally Independent Means
- The same individual cannot serve as audit team leader AND decision-maker for the same certification engagement.
- The decision-maker did not participate in the audit conduct — opening meeting, audit interviews, evidence gathering, or closing meeting.
- The decision-maker is not in a reporting relationship with the audit team that creates pressure to confirm the audit team’s recommendation.
- The decision-maker has no commercial relationship with the client that could influence the decision.
- The decision-maker reviews the documented audit record independently — they do not ‘rubber-stamp’ the audit team recommendation.
Why This Protects Everyone
Structural independence protects the client, Guardian, accreditation bodies, and the broader certification system:
- Clients are protected from arbitrary or biased decisions — a single auditor’s view cannot determine certification outcomes.
- Guardian is protected from impartiality breaches — the framework provides a structural defence against pressure on individual auditors.
- Accreditation bodies can verify the decision framework operates correctly through their own assessment of Guardian’s processes.
- The broader system — every certificate that bears UAF, IAS, QS, or IAF MLA marks carries the credibility of the underlying decision framework.
The Decision Process
13.1 — Inputs to the Decision
The decision-maker reviews a defined set of inputs from the audit engagement:
- Stage 1 audit report — readiness assessment outcome and any noted areas of concern.
- Stage 2 audit report — full assessment outcome, audit findings, nonconformities raised.
- Nonconformity classification — major, minor, or opportunity for improvement (per ISO/IEC 17021-1 §9.4).
- Corrective action evidence — for any major nonconformities raised, evidence of corrective action and closure verification.
- Audit team recommendation — grant, conditional grant, defer, or refuse.
- Audit working papers — supporting evidence available for review where required.
- CDD / EDD outcome from Step 2 — confirmation that AML/CFT due diligence has been completed and approved.
- Scope statement — confirmed scope, sites, activities, headcount.
- Audit team competence record — confirmation that the audit team had the required competence per IAF MD 11.
- Standard-specific evidence — e.g., Statement of Applicability for ISO/IEC 27001, regulatory framework declaration for ISO 13485, BIA for ISO 22301.
13.2 — Decision Options
Based on review of the inputs, the decision-maker selects from defined decision options:
| Decision Option | Implication |
|---|---|
| Grant certification | Audit findings support grant; any nonconformities are minor or have been closed. Certificate is issued for the standard 3-year cycle. |
| Conditional grant | Certificate is issued subject to defined conditions, such as closure of identified actions within agreed timeframes or first surveillance audit advanced. |
| Defer pending corrective action | Decision is deferred until specific corrective actions are completed and verified. Additional audit time may be required for verification. Certificate issuance is suspended until verification. |
| Refuse certification | Significant systemic gaps preclude certification. Reasons are documented and communicated to the client. The client may pursue Guardian’s Complaints and Appeals process if there are grounds. |
13.3 — Decision Documentation
The certification decision is documented to the level required by ISO/IEC 17021-1 §9.5. Decision records include:
- Identity of the decision-maker.
- Date of decision.
- Inputs reviewed.
- Decision rationale.
- Decision option selected.
- Any conditions attached to the decision.
- Records retained per Guardian’s Quality Manual, available to the accreditation body during oversight visits.
Tier-Specific Decision Authority
This is the architectural keystone of the four-tier model. The decision authority for each tier is structurally distinct, reflecting the different accreditation chains and issuing bodies. Disclosure on this page must align verbatim with the multi-entity disclosure on about accreditation.
ISO 26000 — Attestation Decision (NOT Certification)
Critical terminology — ISO 26000 is a guidance standard, not a management system standard. It cannot be ‘certified’ in the technical sense. Guardian provides an Attestation under the Guardian Approved Scheme — confirmation of a structured self-assessment against ISO 26000 guidance.
How ISO 26000 Differs
ISO 26000 is a guidance standard on social responsibility — it provides guidance, not requirements. Unlike ISO 9001, ISO 14001, or other auditable management system standards, ISO 26000 does not contain ‘shall’ requirements that can be assessed for conformity / nonconformity in the same structural way. The international community has been clear that ISO 26000 is not certifiable in the conventional sense.
What Guardian Offers
Guardian offers an Attestation under the Guardian Approved Scheme — a documented evaluation of the client’s structured self-assessment against ISO 26000 guidance. The Attestation:
- Is issued under the Guardian Approved Scheme (Tier 4) — not under any external accreditation.
- Carries no UAF, IAS, QS, or IAF MLA recognition.
- Is not listed on IAF CertSearch.
- Is annual in cycle, not 3-year.
- Uses the term ‘Attestation’ rather than ‘Certification’ on all output documents.
- Is appropriate where the client wishes to demonstrate structured engagement with ISO 26000 guidance for stakeholder, supplier, or internal-purpose disclosure.
The Attestation Decision
The Attestation decision is made by Guardian Middle East LLC’s appointed decision-maker under the Guardian Approved Scheme. The structural independence principle (decision-maker not part of the assessment team) applies. The decision documents whether the structured self-assessment evidences engagement with ISO 26000 guidance to the level appropriate for an Attestation.
Certificate Issuance
Certificate Content
Following decision to grant certification, the certificate is issued. Standard certificate content includes:
- Certificate number — unique identifier per Guardian’s certificate register.
- Certified entity — legal name of the client.
- Standard(s) — e.g., ISO 9001:2015, ISO/IEC 27001:2022.
- Scope statement — activities and sites covered by the certification.
- Issue date — date of the certification decision.
- Effective date — date from which the certification is in force (typically issue date).
- Expiry date — typically 3 years from effective date for management system standards.
- Issuing certification body — Guardian Assessment Pvt Ltd, TNV Global Limited, Third-Party CB, or Guardian Middle East LLC, depending on tier.
- Accreditation chain — UAF, IAS, IAF MLA, QS as applicable. Tier 4 certificates do not carry accreditation marks and bear the Guardian Approved Scheme disclosure.
- Authorized signatures — from the issuing certification body’s authorized personnel.
Certificate Validity
Accredited management system certificates are valid for 3 years from the effective date, subject to:
- Successful completion of surveillance audits in Year 1 and Year 2. After certification is granted, the client moves to the next step — the 3-year cycle.
- Continued conformity with the standard.
- Continued compliance with the certification contract.
- Continued effective management of any changes affecting the certified scope.
- Compliance with the Use of Marks Policy at legal use-of-marks-policy.
IAF CertSearch Listing
Accredited certificates (Tier 1, Tier 2, Tier 3) are listed on IAF CertSearch — the public, official directory operated by the International Accreditation Forum for verification of accredited certificates worldwide. Listing is initiated by the issuing certification body following certification grant. The IAF CertSearch entry is the authoritative public verification of the certificate.
- Tier 1, Tier 2, Tier 3 — listed on IAF CertSearch.
- Tier 4 (Guardian Approved Scheme) — NOT listed on IAF CertSearch.
Certificate Register
Guardian maintains a certificate register with all issued certificates. The register is the authoritative internal record of issued, suspended, and withdrawn certificates. Public-facing verification routes through IAF CertSearch (for accredited certificates) and through Guardian’s verification request channel at info@guardian.qa (for non-accredited certificates under the Guardian Approved Scheme).
Disclosure Obligations & Use of Marks
What the Client Can Say
Following certification grant, the client may publicly claim certification, subject to compliance with:
- The Use of Marks Policy at legal use-of-marks-policy — governs use of the certification body’s marks, accreditation marks, and IAF MLA mark.
- Accurate representation of scope — claims must accurately reflect the scope on the certificate; claims that overstate scope (e.g., claiming whole-organisation certification when only one site is covered) are misleading and a breach of contract.
- Accurate representation of accreditation — Tier 4 (Guardian Approved Scheme) certificates may be claimed as ‘certified’ but must NOT be claimed as ‘accredited certified’ or claim UAF, IAS, QS, or IAF MLA recognition.
- No reference to consultancy or training — clients must not claim that Guardian Middle East LLC provided consultancy, gap analysis, training, or implementation services in connection with the certification.
Misuse of Certification
Misuse of certification — including overstating scope, falsely claiming accreditation that is not held, or referring to certification on products that are not within the certified scope — is a breach of the certification contract. Detected misuse triggers:
- Initial notice and request for correction.
- Where unresolved, formal warning.
- Where unresolved, suspension.
- In serious or repeated cases, withdrawal of certification.
- In specific circumstances, notification to the accreditation body or to other affected parties as required by ISO/IEC 17021-1.
What Step 5 Is NOT
Step 5 IS
- An independent certification decision under ISO/IEC 17021-1 §9.5.
- Made by an appointed decision-maker structurally separate from the audit team.
- Documented to defined records-retention requirements.
- Subject to tier-specific decision authority.
- The basis for certificate issuance and IAF CertSearch listing (for accredited certificates).
Step 5 IS NOT
- A negotiation between the client and the decision-maker — the decision is made on the basis of objective audit evidence and the standard’s requirements. Commercial considerations are not relevant.
- A ‘rubber-stamp’ of the audit team’s view — the decision-maker performs an independent review. They may, in exceptional cases, reach a different conclusion from the audit team.
- An automatic outcome of Stage 2 — Stage 2 produces an audit report and recommendation; Step 5 produces a decision. Successful Stage 2 (no major nonconformities) is typically followed by grant, but the decision is structurally independent.
- A guaranteed timeline — the decision is taken once all required inputs are available. Where corrective action evidence is required, the timeline extends until evidence is verified.
- An appealable commercial decision — the certification decision can be challenged through the Complaints and Appeals process at /legal/complaints-and-appeals/, but on grounds related to procedural fairness or factual error — not on commercial grounds.
Timeline
| Scenario | Typical Decision Timeline |
|---|---|
| Stage 2 with no major nonconformities | Decision typically made within 5 to 15 business days of audit report finalisation. Certificate issued within a further 5 to 10 business days following decision. |
| Stage 2 with minor nonconformities only | Decision typically made within 10 to 20 business days of audit report finalisation. Corrective action plan accepted; closure verified at next surveillance audit. |
| Stage 2 with major nonconformities | Decision deferred until corrective action evidence is submitted and verified. Total Step 5 duration may extend by 30 to 90 days depending on corrective action complexity. |
| Decision with conditions | Decision typically made within 10 to 20 business days. Conditions, such as advanced surveillance, are documented on the certificate or in a separate condition letter. |
| Refused certification | Decision documented and communicated to the client. The client may re-apply once issues are addressed; re-application typically requires a fresh Step 1, Inquiry, and Step 2, Application & KYC. |
COMPLAINTS & APPEALS
Independent complaints and appeals process per ISO/IEC 17021-1:2015.
Full process: → Complaints & appeals
GET STARTED — CONTACT GUARDIAN
Guardian Middle East LLC | Serving the Middle East
QFC Licence 03870 · Doha, Qatar
Location: Abo Hamour Area, Doha, Qatar
P.O. Box: 23277, Doha, Qatar
Mobile: +974 7770 2602 | +974 7213 7770
Email: info@guardian.qa
Website: www.guardian.qa
Or submit an enquiry: → Contact
Frequently Asked Questions
The certification decision is made by an appointed decision-maker who is structurally independent of the audit team that conducted the underlying audit. The same individual cannot serve as audit team leader and decision-maker for the same engagement. The decision-maker reviews audit findings, nonconformity classifications, corrective action evidence, and the audit team recommendation before making the decision.
Structural independence is required by ISO/IEC 17021-1 §9.5 as a core impartiality safeguard in the international certification framework. It protects the client (decision is not biased by a single auditor's view), Guardian (provides a structural defence against pressure on individual auditors), accreditation bodies (decision framework is verifiable), and the broader certification system.
Four defined decision options: grant certification (audit findings support grant; certificate issued for the standard 3-year cycle); conditional grant (certificate issued subject to defined conditions); defer pending corrective action (certificate not issued until corrective actions are completed and verified); refuse certification (significant systemic gaps preclude certification).
For Stage 2 with no major nonconformities, the decision is typically made within 5 to 15 business days of audit report finalisation, and the certificate issued within a further 5 to 10 business days. Major nonconformities extend the timeline by 30 to 90 days depending on corrective action complexity. Decisions are not rushed — adequate review time is essential to a sound decision.
Yes. The decision-maker performs an independent review and may, in exceptional cases, reach a different conclusion from the audit team. This is rare in practice but is structurally possible and is the reason the independence requirement matters. Where the decision-maker reaches a different conclusion, the rationale is documented and the audit team is informed.
The certificate is issued by the relevant entity in the accreditation chain for your tier. For Tier 1 and Tier 2 (excluding ISO 22301), the certificate is issued by Guardian Assessment Pvt Ltd. For Tier 2 ISO 22301, by the Third-Party Certification Body (IAS-Accredited under MSCB 154). For Tier 3, by TNV Global Limited. For Tier 4 (Guardian Approved Scheme), by Guardian Middle East LLC under the internal scheme. In all cases, Guardian Middle East LLC is your local representative and primary point of contact in Qatar.
Guardian does not hold direct accreditation for ISO 22301. To enable clients in Qatar to access ISO 22301 certification under a recognised accreditation chain, Guardian Middle East LLC partners with a Third-Party Certification Body that holds IAS accreditation (MSCB 154) for ISO 22301. The Third-Party CB is the issuing body; Guardian Middle East LLC coordinates locally as the named representative.
IAF CertSearch is the public, official directory operated by the International Accreditation Forum for verification of accredited certificates worldwide. Tier 1, Tier 2, and Tier 3 accredited certificates are listed on IAF CertSearch following certification grant. Tier 4 (Guardian Approved Scheme) certificates are NOT listed on IAF CertSearch — this is part of the transparent disclosure of the non-accredited scheme.
ISO 26000 is a guidance standard on social responsibility, not a management system standard with auditable 'shall' requirements. The international community has been clear that ISO 26000 is not certifiable in the conventional sense. Guardian provides an Attestation under the Guardian Approved Scheme — confirmation of structured engagement with ISO 26000 guidance — using the term 'Attestation' rather than 'Certification', with annual cycle, no IAF MLA recognition, and no IAF CertSearch listing.
Yes, subject to the Use of Marks Policy at /legal/use-of-marks-policy/. Claims must accurately represent the scope on the certificate, accurately represent the accreditation status (Tier 4 must NOT claim accreditation that is not held), and must not refer to consultancy or training services that Guardian did not provide. Misuse triggers notice, warning, and potentially suspension or withdrawal.
Refusal is documented with reasons and communicated to the client. The client may re-apply once the underlying issues are addressed; re-application typically requires a fresh Step 1 (Inquiry) and Step 2 (Application & KYC). Where the client believes the refusal was procedurally unfair or based on factual error, Guardian's Complaints and Appeals process at /legal/complaints-and-appeals/ provides an independent review channel.
The certification decision can be challenged through the Complaints and Appeals process at /legal/complaints-and-appeals/. Appeals are reviewed independently of the audit team and the certification decision-maker, on grounds related to procedural fairness, factual error, or breach of Guardian's procedures. Appeals on commercial grounds (e.g., 'we paid for certification, we should get it') are not within scope of the appeal framework.
Decision-maker conflict-of-interest declarations are made before each decision. Where the decision-maker has a relevant relationship with the client (financial interest, family relationship, prior consulting, employment relationship, or any other circumstance that could compromise impartiality), the decision is reassigned to a different decision-maker. Cosmetic preferences (e.g., 'we want a familiar decision-maker') are not relevant to impartiality.
Following grant of certification, the certificate is issued, the IAF CertSearch listing is initiated for accredited certificates, and the client enters Step 6 (Surveillance & Recertification). Year 1 and Year 2 of the cycle each require a surveillance audit; Year 3 requires a recertification audit. The certified scope and operational arrangements continue under the certification contract executed at Step 2.
Let’s discuss your Iso Certification needs—reach out today
Compliance notes
The certification decision at Step 5 is conducted under ISO/IEC 17021-1 §9.5 (Decision on certification). The decision-maker is structurally independent of the audit team that conducted the underlying audit. Decision authority is tier-specific: Tier 1 and Tier 2 (excluding ISO 22301) — Guardian Assessment Pvt Ltd; Tier 2 (ISO 22301 only) — Third-Party CB (IAS-Accredited under MSCB 154); Tier 3 — TNV Global Limited; Tier 4 (Guardian Approved Scheme) — Guardian Middle East LLC under internal scheme. ISO 26000 is treated as Attestation under the Guardian Approved Scheme. Accredited certificates (Tier 1, 2, 3) are listed on IAF CertSearch; Tier 4 certificates are NOT. Decisions are subject to challenge through the Complaints and Appeals process. Guardian Middle East LLC operates under QFC Licence 03870.